Go to main content

Managing Kerberos in Oracle® Solaris 11.4

Exit Print View

Updated: August 2020

How to Use kdcmgr to Configure a Slave KDC

Before You Begin

The master KDC server is configured.

You must assume the root role. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.4.

  1. Create a slave KDC.

    On the command line, run the kdcmgr command and name the administrator, the realm, and the master KDC.

    The script prompts for the two passwords that you created when you created the master KDC, one for the administrative principal and one for the KDC database. For the EXAMPLE.COM example, you created the passwords in Example 1, Running the kdcmgr Command Without Arguments.

    kdc2# kdcmgr -a kws/admin -r EXAMPLE.COM create -m kdc1 slave
    Starting server setup
    Setting up /etc/krb5/kdc.conf
    Setting up /etc/krb5/krb5.conf
    Obtaining TGT for kws/admin ...
    Password for kws/admin@EXAMPLE.COM: xxxxxxxx
    Setting up /etc/krb5/kadm5.acl.
    Setting up /etc/krb5/kpropd.acl.
    Waiting for database from master...
    Waiting for database from master...
    Waiting for database from master...
    kdb5_util: Cannot find/read stored master key while reading master key
    kdb5_util: Warning: proceeding without master key
    Enter KDC database master key: xxxxxxxx
    Setup COMPLETE.
  2. (Optional) Display the status of the KDC.
    # kdcmgr status
  3. Synchronize this system's clock with other clocks in the realm.

    For more information and pointers to procedures, see Synchronizing Clocks Between KDCs and Kerberos Clients. See also the krb5.conf(5) man page.

  4. Return to the master KDC to make it a client of the clock synchronization server.